Mac: Align non-signed Mac build logic with signed builds

[hoffie]

What is the current behaviour and why should it be changed?
Currently, intermediate Mac releases (CI on master, nightlies) use a simplified build logic without real signing. We do ad-hoc signing via macdeployqt now (I think), but that doesn't go through the real signing code path in our CI logic.

It's been the second time that we were caught by a build-related issue right at release time and it only became apparent right then. If we had the same build logic for intermediate builds as well, we would have noticed way earlier.

(First time was signing + CodeQL which got the build stuck; second time was the universal builds which made the build run twice as long and trigger keychain locking, which also got the build stuck)

Describe possible approaches
We should either statically generate a certificate for intermediate signing or even generate it dynamically as part of the CI.

Has this feature been discussed and generally agreed?
No.

[ann0see]

Last time I tried self generated code signing certificates it crashed the build as the certificate isn't the Apple one.